I can't access my server through my wlan ip 192.168.1.4.
My httpd.conf file has a line:
<Directory "c:/wamp/bin/apache/apache2.4.9/cgi-bin">
eAllowOverride None
Options None
Require all granted
</Directory>
You need to look at this section of your httpd.conf file.
# onlineoffline tag - don't remove
Require local
Now add either a specific ip that you want to allow like this
# onlineoffline tag - don't remove
Require local
Require ip 192.168.1.200
Or allow access from any ip in the 192.168.1 subnet like this
# onlineoffline tag - don't remove
Require local
Require ip 192.168.1
Related
What I want here is that, if I create any csv,log,txt,sh file in public or any other folder inside /var/www/ and forgot to remove/delete it, and if any attacker hits the valid file path or url then apache should not send that csv,log,txt or sh file in reponse.
I changed my apache2.conf as below but still when I hit URL like
mysite.com/website_content/assets/transactions.csv
It sends me the file in response. And I can download it.
<FilesMatch "\.(csv|sh|log|txt)$">
Require all denied
</FilesMatch>
I want apache to not send any file of csv,docx,doc,sh,log,txt in response. any help would make my life easy.
My team leader solved this issue efficiently as
<Files ~ "\.csv$">
Order allow,deny
Deny from all
</Files>
And then I changed into this one to block multiple files as
<Files ~ "\.(csv|sh|txt|doc|docx|zip|gz|bz|py|xlsx|db|pdf|crt|info|key|rb)$">
Order allow,deny
Deny from all
</Files>
There will be 403 Forbidden whenever anyone tries to access such type of files.
I want to restrict access to a directory using SetEnvIfNoCase and a wildcard for Remote_Host. For example, I'd like to permit access to the directory for any client requesting the directory from *.example.com.
(In practice, I'm going to use it to restrict access of this directory to requests from googlebot.com, etc.)
What I have in my htaccess does not work and I believe it is because of an improperly formatted wildcard:
SetEnvIfNoCase Remote_Host ^(.*).example.com$ OK_friend
Order Deny,Allow
Deny from All
Allow from env=OK_friend
I have tried changing the Remote_Host to Remote_Addr and putting my IP address, and everything works fine. I just can't seem to get this to work for a wildcard on the remote hostname.
Try non-greedy by adding a "?" and escape your "." since it is a RegEx metacharacter:
^(.*?)\.example\.com$
Or you can simplify it further if you're just running a check without capturing any groups:
^.*?\.example\.com$
Recently I used WAMP server to set up a server environment in a Windows machine. Everything works great, but I have a little problem: everyone can access the wampserver homepage, therefore they can see other webpages hosted in the same server, the server file system, etc.
The URLs of the webpage have the following format: hostname/project1, hostname/project2... The main problem is that, anyone can see all the projects that are hosted by going to the direction of the hostname because this will lead to the wampserver homepage, and I would prefer that this homepage could be accessed only in the localhost of the windows host. Is there any way to do that? I'm guessing that I will need to modify some parameters in configuration files, but I have no idea wich ones...
If you intend to block access to all sites hosted on this computer from outside access, you can do this in your main apache configuration file at <installation drive>/wamp/bin/apache/Apache<version number>/conf/httpd.conf. .htaccess is more for per-site configurations, though it will certainly work if you put it in the main www directory.
To disallow outside access to the www folder (open by default) find the part of the apache configuration file (path shown above) that looks like:
<Directory "<installation drive>/wamp/www">
# There will be comments here and some options like FollowSymLinks and AllowOverride
Order Allow,Deny
Allow from all
</Directory>
And change it to:
<Directory "<installation drive>/wamp/www">
# There will be comments here and some options like FollowSymLinks and AllowOverride
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Directory>
If your goal is not to block outside access to all of your sites, it would help to know more about your set up. And if your goal is only to block the 'localhost' page and still allow access to, say, 'localhost/site1' then this question may be a duplicate of this.
Edit:
As you point out, there is not a good resolution for the question I linked. Assuming you have your public sites set up as virtual hosts in a sub folder of the webroot like:
|-wamp_root
|-www
|-vhosts
|-public_site_1
|-public_site_2
Then you can go back into your httpd.conf and add this below your /wamp/www/ rule:
<Directory "<installation drive>/wamp/www/vhosts/">
# There will be comments here and some options like FollowSymLinks and AllowOverride
Order Allow,Deny
Allow from all
</Directory>
This will allow anything in the www folder to be accessed only locally, and anything in the vhosts sub folder to be accessible outside. Again, remember to restart Apache whenever you change this file.
It should be possible to block other users using the windows firewall.
You could also use a .htaccess file like this one:
Order deny,allow
Deny from all
Allow from 127.0.0.1
You will have to make sure that AllowOverride is set to All in the apache configuration and that the .htaccess wil be applied to all subdirectories too, otherwise your projects will still be available.
It appears (after a bit of head-scratching myself), the answer to this question was simple.
In the Windows Taskbar, left click the WAMP icon, then click 'Put Offline'.
It doesn't appear to take the entire webserver "offline", just the root homepage? and anything you've configured in your httpd.conf file to be accessible externally still stands, they are still reachable.
NOTE: The default VHOST's are still reachable though, PHPINFO and PHPMYADMIN for example!
It is not difficult.
edit the index file by notepad++
find the line &projectContents
change from &projectContents to &project---Contents
then the project title disappears.
I have seen it before where, to stop the need to restart the Apache service when a new virtual host is added you can use regular expressions to setup a Virtual Host. I have a server where sites are added and removed fairly often, and would like to do so.
All directories for the sites are in the following format: /var/www/{domain-of-site}/www. So I need to to match the regular expression "var/www/([A-Za-z0-9.]){1,}/www" to get both the directory and the domain name.
Is this really possible in Apache2? If so what would a basic look like?
I do this on my dev machine. You need to enable mod_vhost_alias.
Then in your vhosts file, add:
VirtualDocumentroot "/var/www/%-1.0s/%-2.0/public_html"
<Directory "/var/www">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
This will point http://mydevproject.client to /var/www/clients/mydevproject/public_html
I'm sure this is possible, but its beyond my meager abilities with .htaccess files.
We have an internal php app that we use, we have basic security internally, but dont need to worry too much. I would like to make it available online for use when staff are out and about. I would like to have additional security based on htaccess or htpassword files.
Is it possible to write a htaccess file that does the following
If user is accessing from office.mydomain.com it means they are internal (office.mydomain.com resolves to an internal ip like 192.168.22.22) so allow unimpeded access
If the user is accessing from outside it will be external.myoffice.com - if this is the case as an added bit of security I would like to use .htaccess and a password file to get the user to enter an apache password.
Can anyone tell me how to write this with .htaccess file?
Update: Thanks for all the answers, I have posted what worked for me as an answer to help others.
You can use
RewriteCond %{REMOTE_ADDR} !^192\.168\.
to specify the condition of an external IP, or use
RewriteCond %{REMOTE_ADDR} ^192\.168\.
for the condition of a local IP.
You will just have to integrate these into your existing htaccess rules in a sensible way.
I think this does do what you want;
http://codesanity.net/2009/11/conditional-htpasswd-multienvironment-setups/
http://tomschlick.com/2009/11/08/conditional-htpasswd-multi-environments/
https://tomschlick.com/2009/11/08/conditional-htpasswd-multi-environments
Correct address for the resource as of 2022/01/15.
https://tomschlick.com/conditional-htpasswd-multi-environments/
Here you go
order deny,allow
allow from 192.168.22.0/255.255.255.0
deny from all
You can use a subnet mask to make sure the visitors are from the same network. If you need to address another network, just use those IP's (as the server sees them)
To Complete this answer the following Works.
#allows everything if its on a certain host
SetEnvIf HOST "^www.mysite.com" external_url
SetEnvIf HOST "^localhost" local_url
Order Deny,Allow
AuthName "Restricted Area"
AuthType Basic
AuthUserFile path/to/your/.htpasswd
AuthGroupFile /
Require valid-user
#Allow valid-user
Deny from all
Allow from env=external_url
Allow from env=local_url
Satisfy any
This pops up a Restricted Area login box if you visit via the www.mysite.com but displays nothing if you are coming locally.